Thanks.   As per above then, is there a limit of clients? Meraki's group policy page says 3,000 for manually applied, however I've been able to add 70,000 without error... ... View more

I don't follow.   1. You create a template and add all your networks to it. 2. You create a group policy inside the template. 3. You assign clients to the group policy.   As the group policy is mapped to the template, isn't any client added to the group policy mapped to all networks?   Are you saying that despite having a group policy at template level, you still have to go into each network separately and add a client to the group policy, for the same MAC? ... View more

So if I apply all networks in the org to a template, and add the clients to a group policy defined on the template, the clients will get assigned the policy on ALL networks mapped to the template? ... View more

Thanks @RaphaelL and @alemabrahao.   I thought as much.   I read the same about the 3,000 limit for group policies. I've tested, via API, adding tends of thousands of client MACs and it's accepted it just fine, so now not so sure:     If using network templates, can you do group policies within them?   Thanks ... View more

Yeah, got a ticket open but their support not yet finding anything, even though it has to be 100% the Meraki RADIUS cloud as it is that which sends the RADIUS packets out (not the AP or from customer premise)   It's not the specific RADIUS proxy option, but when you enable splash page with RADIUS authentication, all RADIUS traffic comes from the Meraki cloud ... View more

Interested to know more on what you use the "Called-Station-Id" for when using the proxy, and why the format can't be changed? 🙂   Thanks ... View more

I really don't understand this decision. Why introduce a feature to make it more flexible, then take it away? Is there a technical reason why Meraki can't allow a customised Called-Station-Id format? This means your systems do not match and have no parity.   This will mean customers are not able to use the proxy, because it still uses the BSSID as the Called-Station-Id which is not useful. In your previous reply, you state "The change from BSSID to MAC address does now align with the rest of the industry" - but not if using proxy 🤔 ... View more

What do you mean, you don't support it because you use it? 🙂   If a packet is being proxied from an AP, it should honour the same going through the proxy. If you can customise the NAS-ID when going through the proxy, what's the problem doing the same for Called-Station-Id?   This effectively means the proxy is useless as it can't be set to what it needs to be... ... View more

Hi Rodrigo   Correct, on the Access Control page. This is what I have set:   Association requirements: MAC-based access control  Splash page: None or Click-through   Scroll down to the RADIUS options and set:   RADIUS CoA support: Unchecked RADIUS proxy: Checked   You'll see when you enable the RADIUS proxy option, the new Called-Station-Id option disappears but the NAS-ID option is there!   Thanks ... View more

Thanks Rodrigo!   This is also a similar query - wondering if you might be able to answer?   https://community.meraki.com/t5/Wireless-LAN/Mac-based-authentication-with-ISE-cloud-RADIUS-server-and-CoA/m-p/119165#M17008   Thanks   James ... View more

Something I noticed... when you enable the RADIUS proxy option, the setting for the Called-Station-Id format disappears, but the NAS-ID format option is there.. this seems a little odd and I don't understand why you still can't set both?   Without proxy:         With proxy:       Bug, or something else?   Thanks   J ... View more

Brilliant, thanks for that.   ... View more

Thanks! I'll await the update. ... View more

Brilliant so what you are confirming is that in MR28, by default, without the customer logging in and making a change, it will now start sending the AP MAC address in the Called-Station-Id by default (unless configured otherwise), and now include the NAS-ID and the two extra Meraki vendor specific attributes? 😁 ... View more

Thanks Rodrigo   A couple of observations:   On our existing WPA2 enterprise SSID, after upgrading to MR28, it started using the new Called-Station-Id settings without me setting/changing anything on the Meraki dashboard. Also, when I created a new SSID and set it to MAC-based control only, and configured basic radius servers, it too automatically uses the new Called-Station-Id settings without me setting anything.   It seems the default setting for both Called-Station-Id and NAS-ID is "AP MAC address::SSID Name" / "AP MAC address::SSID Number" respectively - is this correct? (This is good for us, not complaining!)   Prior to MR28, when I connect to the SSID, it sent the following packet:     User-Name = "112233445566" User-Password = "" NAS-IP-Address = 0.0.0.0 Called-Station-Id = "0C-8D-DB-11-22-33:Free_WiFi" Calling-Station-Id = "99-88-77-66-55-44" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b"     and since MR28 we now see:     User-Name = "112233445566" User-Password = "" NAS-IP-Address = 192.168.1.89 ++ Service-Type = Call-Check >> Called-Station-Id = "0C-8D-DB-11-22-33:Free_WiFi" Calling-Station-Id = "99-88-77-66-55-44" >> NAS-Identifier = "0C-8D-DB-11-22-33:vap1" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" ++ Meraki-Device-Name = "0c:8d:db:11:22:33" ++ Meraki-Network-Name = "Test - wireless"     The lines marked >> are the new, configurable ones and the ones with ++ are now being included as extra, which is great. Is this what is to be expected?   Does this mean that once a customer upgrades to MR28, it will automatically start sending the new extra attributes, and changes the Called-Station-Id and NAS-ID to the default format as per above (which is much better than sending the BSSID MAC)   Again, not a complaint (been waiting for this for years), just ensuring I have my facts correct.   Thanks,   James ... View more

Great - can you tell me, the new RADIUS options for Called-Station-Id and NAS-ID, what RADIUS requests do they affect?   Does it change all RADIUS traffic, even Captive portal RADIUS, or just 802.1x. Is MAC authentication also included?   At present, without setting any of the new options, captive portal RADIUS traffic uses the AP MAC address as the Called-Station-Id, but 802.1x and MAC authentication uses the BSSID MAC instead.   Thanks,   James ... View more

Hi Alexander   Might you be able to provide some more detail/documentation around this in particular:   [New] RADIUS enhancements (e.g., NAS-ID configuration, Called-Station ID configuration)   Thanks,   J ... View more

Hi Jonas   You are correct.   If you manually open a browser and try to browse to a URL that starts with https:// (or a site that only uses https://) - then the AP cannot redirect you to the splash page, because it cannot intercept the traffic. Therefore, it will time out. To reach the splash page, you have to navigate to a http:// site. I understand this is difficult to have users understand and they will typically just try and search Google from their browser, which will also fail as Google use https:// also.   This isn't a Meraki thing, it's an industry standard problem with captive portals and https (SSL). If you try the same on another make of AP you'll see the same behaviour. It's just the way it is I'm afraid. Some AP manufactures try to intercept the https:// request, but this IMO is worse because it then throws a big SSL warning/error page to the user saying the Certificate is invalid any your session might be hijacked (man in the middle warning). this happens because the SSL certificate provided is not the real one, but one provided by the AP and of course the host name on the certificate does not match.   But, the issue here is that you shouldn't get to a position where you need to open a browser and visit a http site. You should automatically get the CNA popup which will then correctly show the splash page on the device.   P.S. There is no problem hosting your splash page on https:// - because the splash URL is in your allowed Walled garden list, so that traffic CAN reach the real site.   The CNA check on iOS/Android/Windows etc is always a http:// request by the way,otherwise that would fail.   Thanks James https://purple.ai ... View more

Hi Jonas   Yeah, when you connect to the SSID the Apple device should automatically fire a HTTP request to an apple URL to detect if its in a captive portal or not. If it is, i.e. it cannot reach this URL, it should automatically popup the CNA and redirect to your configured splash URL. If this isn't happening then first ensure you haven't got any apple based domains in your Walled Garden and that Auto-Join and Auto-Login is enabled on the iOS device itself, under the SSID settings.   Thanks   James Purple https://purple.ai ... View more